projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Kjetil Homme's patch for extended macro features (redefinition,
[exim.git] / src / src / acl.c
CommitLineData
cf00dad6 1/* $Cambridge: exim/src/src/acl.c,v 1.27 2005/04/05 13:58:35 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK		 37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
fb2274d4
TK		 48#endif
49#ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
8e669ac1 56#endif
8523533c
TK		 57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61#endif
62 ACLC_MESSAGE,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65#endif
66 ACLC_RECIPIENTS,
67#ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69#endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71#ifdef WITH_CONTENT_SCAN
8e669ac1 72 ACLC_SPAM,
8523533c
TK		 73#endif
74#ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76#endif
77 ACLC_VERIFY };
059ec3d9
PH		 78
79/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80"log_message", "logwrite", and "set" are modifiers that look like conditions
81but always return TRUE. They are used for their side effects. */
82
8523533c
TK		 83static uschar *conditions[] = { US"acl", US"authenticated",
84#ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86#endif
87 US"condition",
8e669ac1 88 US"control",
8523533c
TK		 89#ifdef WITH_CONTENT_SCAN
90 US"decode",
91#endif
92 US"delay",
93#ifdef WITH_OLD_DEMIME
94 US"demime",
fb2274d4
TK		 95#endif
96#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
8523533c
TK		 103#endif
104 US"dnslists", US"domains", US"encrypted",
059ec3d9 105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK		 106#ifdef WITH_CONTENT_SCAN
107 US"malware",
108#endif
109 US"message",
110#ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112#endif
113 US"recipients",
114#ifdef WITH_CONTENT_SCAN
115 US"regex",
116#endif
117 US"sender_domains", US"senders", US"set",
118#ifdef WITH_CONTENT_SCAN
119 US"spam",
120#endif
121#ifdef EXPERIMENTAL_SPF
122 US"spf",
123#endif
059ec3d9 124 US"verify" };
8e669ac1 125
c5fcb476
PH		 126/* ACL control names */
127
128static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
8e669ac1 130 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH		 131
132/* Flags to indicate for which conditions /modifiers a string expansion is done
133at the outer level. In the other cases, expansion already occurs in the
134checking functions. */
135
136static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
8523533c
TK		 139#ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
8e669ac1 141#endif
059ec3d9
PH		 142 TRUE, /* condition */
143 TRUE, /* control */
8523533c
TK		 144#ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146#endif
059ec3d9 147 TRUE, /* delay */
8523533c
TK		 148#ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
fb2274d4
TK		 150#endif
151#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
e715ad22 155 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
8523533c 158#endif
059ec3d9
PH		 159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
8523533c
TK		 167#ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169#endif
059ec3d9 170 TRUE, /* message */
8523533c
TK		 171#ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173#endif
059ec3d9 174 FALSE, /* recipients */
8523533c
TK		 175#ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177#endif
059ec3d9
PH		 178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
8523533c
TK		 181#ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183#endif
184#ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186#endif
059ec3d9
PH		 187 TRUE /* verify */
188};
189
190/* Flags to identify the modifiers */
191
192static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
8523533c
TK		 195#ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
8e669ac1 197#endif
059ec3d9
PH		 198 FALSE, /* condition */
199 TRUE, /* control */
8523533c
TK		 200#ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202#endif
059ec3d9 203 TRUE, /* delay */
8523533c
TK		 204#ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
fb2274d4
TK		 206#endif
207#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
e715ad22 211 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
8523533c 214#endif
059ec3d9
PH		 215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
8523533c
TK		 222 TRUE, /* logwrite */
223#ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225#endif
059ec3d9 226 TRUE, /* message */
8523533c
TK		 227#ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229#endif
059ec3d9 230 FALSE, /* recipients */
8523533c
TK		 231#ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233#endif
059ec3d9
PH		 234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
8523533c
TK		 237#ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239#endif
240#ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242#endif
059ec3d9
PH		 243 FALSE /* verify */
244};
245
c5fcb476 246/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH		 247each condition, there's a bitmap of dis-allowed times. For some, it is easier
248to specify the negation of a small number of allowed times. */
059ec3d9
PH		 249
250static unsigned int cond_forbids[] = {
251 0, /* acl */
8e669ac1 252
059ec3d9
PH		 253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
254 (1<<ACL_WHERE_HELO),
8e669ac1 255
8523533c 256#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
264#endif
8e669ac1 265
059ec3d9 266 0, /* condition */
8e669ac1 267
059ec3d9 268 /* Certain types of control are always allowed, so we let it through
2f079f46 269 always and check in the control processing itself. */
8e669ac1 270
059ec3d9 271 0, /* control */
8e669ac1 272
8523533c 273#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 274 (unsigned int)
275 ~(1<<ACL_WHERE_MIME), /* decode */
8523533c
TK		 276#endif
277
059ec3d9 278 0, /* delay */
8e669ac1 279
f7b63901 280#ifdef WITH_OLD_DEMIME
2f079f46
PH		 281 (unsigned int)
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
8523533c 283#endif
8e669ac1 284
fb2274d4 285#ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
292 (1<<ACL_WHERE_VRFY),
84330b7b 293
2f079f46 294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
300 (1<<ACL_WHERE_VRFY),
84330b7b 301
2f079f46 302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
308 (1<<ACL_WHERE_VRFY),
84330b7b 309
2f079f46 310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
316 (1<<ACL_WHERE_VRFY),
84330b7b 317
2f079f46 318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY),
84330b7b 325
2f079f46 326 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
332 (1<<ACL_WHERE_VRFY),
333#endif
334
059ec3d9
PH		 335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
336
2f079f46
PH		 337 (unsigned int)
338 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9
PH		 339
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
341 (1<<ACL_WHERE_HELO),
8e669ac1 342
059ec3d9 343 0, /* endpass */
8e669ac1 344
059ec3d9
PH		 345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
346
2f079f46
PH		 347 (unsigned int)
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 349
350 0, /* log_message */
8e669ac1 351
059ec3d9 352 0, /* logwrite */
8e669ac1 353
8523533c 354#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 355 (unsigned int)
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
8523533c
TK		 357#endif
358
059ec3d9
PH		 359 0, /* message */
360
8523533c 361#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 362 (unsigned int)
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
8523533c
TK		 364#endif
365
2f079f46
PH		 366 (unsigned int)
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 368
8523533c 369#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 370 (unsigned int)
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
8523533c
TK		 373#endif
374
059ec3d9
PH		 375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
376 (1<<ACL_WHERE_HELO)|
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
380
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
382 (1<<ACL_WHERE_HELO)|
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
386
387 0, /* set */
388
8523533c 389#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 390 (unsigned int)
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
8523533c
TK		 392#endif
393
394#ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
396 (1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
400#endif
401
059ec3d9
PH		 402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
404
405 0 /* verify */
059ec3d9
PH		 406};
407
408
409/* Return values from decode_control() */
410
8e669ac1 411enum {
8523533c
TK		 412#ifdef EXPERIMENTAL_BRIGHTMAIL
413 CONTROL_BMI_RUN,
fb2274d4
TK		 414#endif
415#ifdef EXPERIMENTAL_DOMAINKEYS
416 CONTROL_DK_VERIFY,
8e669ac1 417#endif
8523533c 418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK		 420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421#ifdef WITH_CONTENT_SCAN
8e669ac1 422 CONTROL_NO_MBOX_UNSPOOL,
8523533c 423#endif
0f9b0483 424 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
059ec3d9 425
c5fcb476
PH		 426/* Bit map vector of which controls are not allowed at certain times. For
427each control, there's a bitmap of dis-allowed times. For some, it is easier to
428specify the negation of a small number of allowed times. */
429
430static unsigned int control_forbids[] = {
8523533c
TK		 431#ifdef EXPERIMENTAL_BRIGHTMAIL
432 0, /* bmi_run */
433#endif
fb2274d4 434#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
fb2274d4 436#endif
3e11c26b 437
c5fcb476 438 0, /* error */
8e669ac1
PH		 439
440 (unsigned int)
c5fcb476 441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 442
443 (unsigned int)
c5fcb476 444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 445
c5fcb476 446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 447
c5fcb476 448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH		 449
450 (unsigned int)
c5fcb476
PH		 451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 454
455 (unsigned int)
c5fcb476
PH		 456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 459
460 (unsigned int)
c5fcb476 461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 462 (1<<ACL_WHERE_PREDATA)),
8523533c
TK		 463
464#ifdef WITH_CONTENT_SCAN
8e669ac1 465 (unsigned int)
14d57970 466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
8523533c 469#endif
a6c4ab60 470
8e669ac1 471 (unsigned int)
a6c4ab60 472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
8523533c 475
c5fcb476
PH		 476 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
477};
478
479/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 480
481typedef struct control_def {
482 uschar *name;
483 int value; /* CONTROL_xxx value */
059ec3d9
PH		 484 BOOL has_option; /* Has /option(s) following */
485} control_def;
486
487static control_def controls_list[] = {
8523533c
TK		 488#ifdef EXPERIMENTAL_BRIGHTMAIL
489 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
fb2274d4
TK		 490#endif
491#ifdef EXPERIMENTAL_DOMAINKEYS
492 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
8523533c 493#endif
c5fcb476
PH		 494 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
495 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
496 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
497 { US"freeze", CONTROL_FREEZE, FALSE},
498 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
499 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
500 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK		 501#ifdef WITH_CONTENT_SCAN
502 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
8523533c 503#endif
0f9b0483 504 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
c5fcb476 505 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH		 506 };
507
508/* Enable recursion between acl_check_internal() and acl_check_condition() */
509
510static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
511 uschar **);
512
513
514/*************************************************
515* Pick out name from list *
516*************************************************/
517
518/* Use a binary chop method
519
520Arguments:
521 name name to find
522 list list of names
523 end size of list
524
525Returns: offset in list, or -1 if not found
526*/
527
528static int
529acl_checkname(uschar *name, uschar **list, int end)
530{
531int start = 0;
532
533while (start < end)
534 {
535 int mid = (start + end)/2;
536 int c = Ustrcmp(name, list[mid]);
537 if (c == 0) return mid;
538 if (c < 0) end = mid; else start = mid + 1;
539 }
540
541return -1;
542}
543
544
545/*************************************************
546* Read and parse one ACL *
547*************************************************/
548
549/* This function is called both from readconf in order to parse the ACLs in the
550configuration file, and also when an ACL is encountered dynamically (e.g. as
551the result of an expansion). It is given a function to call in order to
552retrieve the lines of the ACL. This function handles skipping comments and
553blank lines (where relevant).
554
555Arguments:
556 func function to get next line of ACL
557 error where to put an error message
558
559Returns: pointer to ACL, or NULL
560 NULL can be legal (empty ACL); in this case error will be NULL
561*/
562
563acl_block *
564acl_read(uschar *(*func)(void), uschar **error)
565{
566acl_block *yield = NULL;
567acl_block **lastp = &yield;
568acl_block *this = NULL;
569acl_condition_block *cond;
570acl_condition_block **condp = NULL;
571uschar *s;
572
573*error = NULL;
574
575while ((s = (*func)()) != NULL)
576 {
577 int v, c;
578 BOOL negated = FALSE;
579 uschar *saveline = s;
580 uschar name[64];
581
582 /* Conditions (but not verbs) are allowed to be negated by an initial
583 exclamation mark. */
584
585 while (isspace(*s)) s++;
586 if (*s == '!')
587 {
588 negated = TRUE;
589 s++;
590 }
591
cf00dad6
PH		 592 /* Read the name of a verb or a condition, or the start of a new ACL, which
593 can be started by a name, or by a macro definition. */
059ec3d9
PH		 594
595 s = readconf_readname(name, sizeof(name), s);
cf00dad6 596 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
059ec3d9
PH		 597
598 /* If a verb is unrecognized, it may be another condition or modifier that
599 continues the previous verb. */
600
601 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
602 if (v < 0)
603 {
604 if (this == NULL)
605 {
606 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
607 return NULL;
608 }
609 }
610
611 /* New verb */
612
613 else
614 {
615 if (negated)
616 {
617 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
618 return NULL;
619 }
620 this = store_get(sizeof(acl_block));
621 *lastp = this;
622 lastp = &(this->next);
623 this->next = NULL;
624 this->verb = v;
625 this->condition = NULL;
626 condp = &(this->condition);
627 if (*s == 0) continue; /* No condition on this line */
628 if (*s == '!')
629 {
630 negated = TRUE;
631 s++;
632 }
633 s = readconf_readname(name, sizeof(name), s); /* Condition name */
634 }
635
636 /* Handle a condition or modifier. */
637
638 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
639 if (c < 0)
640 {
641 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
642 saveline);
643 return NULL;
644 }
645
646 /* The modifiers may not be negated */
647
648 if (negated && cond_modifiers[c])
649 {
650 *error = string_sprintf("ACL error: negation is not allowed with "
651 "\"%s\"", conditions[c]);
652 return NULL;
653 }
654
655 /* ENDPASS may occur only with ACCEPT or DISCARD. */
656
657 if (c == ACLC_ENDPASS &&
658 this->verb != ACL_ACCEPT &&
659 this->verb != ACL_DISCARD)
660 {
661 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
662 conditions[c], verbs[this->verb]);
663 return NULL;
664 }
665
666 cond = store_get(sizeof(acl_condition_block));
667 cond->next = NULL;
668 cond->type = c;
669 cond->u.negated = negated;
670
671 *condp = cond;
672 condp = &(cond->next);
673
674 /* The "set" modifier is different in that its argument is "name=value"
675 rather than just a value, and we can check the validity of the name, which
676 gives us a variable number to insert into the data block. */
677
678 if (c == ACLC_SET)
679 {
680 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
681 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
682 {
683 *error = string_sprintf("unrecognized name after \"set\" in ACL "
684 "modifier \"set %s\"", s);
685 return NULL;
686 }
687
688 cond->u.varnumber = s[5] - '0';
689 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
690 s += 6;
691 while (isspace(*s)) s++;
692 }
693
694 /* For "set", we are now positioned for the data. For the others, only
695 "endpass" has no data */
696
697 if (c != ACLC_ENDPASS)
698 {
699 if (*s++ != '=')
700 {
701 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
702 cond_modifiers[c]? US"modifier" : US"condition");
703 return NULL;
704 }
705 while (isspace(*s)) s++;
706 cond->arg = string_copy(s);
707 }
708 }
709
710return yield;
711}
712
713
714
715/*************************************************
716* Handle warnings *
717*************************************************/
718
719/* This function is called when a WARN verb's conditions are true. It adds to
720the message's headers, and/or writes information to the log. In each case, this
721only happens once (per message for headers, per connection for log).
722
723Arguments:
724 where ACL_WHERE_xxxx indicating which ACL this is
725 user_message message for adding to headers
726 log_message message for logging, if different
727
728Returns: nothing
729*/
730
731static void
732acl_warn(int where, uschar *user_message, uschar *log_message)
733{
734int hlen;
735
736if (log_message != NULL && log_message != user_message)
737 {
738 uschar *text;
739 string_item *logged;
740
741 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
742 string_printing(log_message));
743
744 /* If a sender verification has failed, and the log message is "sender verify
745 failed", add the failure message. */
746
747 if (sender_verified_failed != NULL &&
748 sender_verified_failed->message != NULL &&
749 strcmpic(log_message, US"sender verify failed") == 0)
750 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
751
752 /* Search previously logged warnings. They are kept in malloc store so they
753 can be freed at the start of a new message. */
754
755 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
756 if (Ustrcmp(logged->text, text) == 0) break;
757
758 if (logged == NULL)
759 {
760 int length = Ustrlen(text) + 1;
761 log_write(0, LOG_MAIN, "%s", text);
762 logged = store_malloc(sizeof(string_item) + length);
763 logged->text = (uschar *)logged + sizeof(string_item);
764 memcpy(logged->text, text, length);
765 logged->next = acl_warn_logged;
766 acl_warn_logged = logged;
767 }
768 }
769
770/* If there's no user message, we are done. */
771
772if (user_message == NULL) return;
773
774/* If this isn't a message ACL, we can't do anything with a user message.
775Log an error. */
776
777if (where > ACL_WHERE_NOTSMTP)
778 {
779 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
780 "found in a non-message (%s) ACL: cannot specify header lines here: "
781 "message ignored", acl_wherenames[where]);
782 return;
783 }
784
785/* Treat the user message as a sequence of one or more header lines. */
786
787hlen = Ustrlen(user_message);
788if (hlen > 0)
789 {
790 uschar *text, *p, *q;
791
792 /* Add a final newline if not present */
793
794 text = ((user_message)[hlen-1] == '\n')? user_message :
795 string_sprintf("%s\n", user_message);
796
797 /* Loop for multiple header lines, taking care about continuations */
798
799 for (p = q = text; *p != 0; )
800 {
801 uschar *s;
802 int newtype = htype_add_bot;
803 header_line **hptr = &acl_warn_headers;
804
805 /* Find next header line within the string */
806
807 for (;;)
808 {
809 q = Ustrchr(q, '\n');
810 if (*(++q) != ' ' && *q != '\t') break;
811 }
812
813 /* If the line starts with a colon, interpret the instruction for where to
814 add it. This temporarily sets up a new type. */
815
816 if (*p == ':')
817 {
818 if (strncmpic(p, US":after_received:", 16) == 0)
819 {
820 newtype = htype_add_rec;
821 p += 16;
822 }
8523533c
TK		 823 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
824 {
825 newtype = htype_add_rfc;
826 p += 14;
8e669ac1 827 }
059ec3d9
PH		 828 else if (strncmpic(p, US":at_start:", 10) == 0)
829 {
830 newtype = htype_add_top;
831 p += 10;
832 }
833 else if (strncmpic(p, US":at_end:", 8) == 0)
834 {
835 newtype = htype_add_bot;
836 p += 8;
837 }
838 while (*p == ' ' || *p == '\t') p++;
839 }
840
841 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
842 to the front of it. */
843
844 for (s = p; s < q - 1; s++)
845 {
846 if (*s == ':' || !isgraph(*s)) break;
847 }
848
849 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
850 hlen = Ustrlen(s);
851
852 /* See if this line has already been added */
853
854 while (*hptr != NULL)
855 {
856 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
857 hptr = &((*hptr)->next);
858 }
859
860 /* Add if not previously present */
861
862 if (*hptr == NULL)
863 {
864 header_line *h = store_get(sizeof(header_line));
865 h->text = s;
866 h->next = NULL;
867 h->type = newtype;
868 h->slen = hlen;
869 *hptr = h;
870 hptr = &(h->next);
871 }
872
873 /* Advance for next header line within the string */
874
875 p = q;
876 }
877 }
878}
879
880
881
882/*************************************************
883* Verify and check reverse DNS *
884*************************************************/
885
886/* Called from acl_verify() below. We look up the host name(s) of the client IP
887address if this has not yet been done. The host_name_lookup() function checks
888that one of these names resolves to an address list that contains the client IP
889address, so we don't actually have to do the check here.
890
891Arguments:
892 user_msgptr pointer for user message
893 log_msgptr pointer for log message
894
895Returns: OK verification condition succeeded
896 FAIL verification failed
897 DEFER there was a problem verifying
898*/
899
900static int
901acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
902{
903int rc;
904
905user_msgptr = user_msgptr; /* stop compiler warning */
906
907/* Previous success */
908
909if (sender_host_name != NULL) return OK;
910
911/* Previous failure */
912
913if (host_lookup_failed)
914 {
915 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
916 return FAIL;
917 }
918
919/* Need to do a lookup */
920
921HDEBUG(D_acl)
922 debug_printf("looking up host name to force name/address consistency check\n");
923
924if ((rc = host_name_lookup()) != OK)
925 {
926 *log_msgptr = (rc == DEFER)?
927 US"host lookup deferred for reverse lookup check"
928 :
929 string_sprintf("host lookup failed for reverse lookup check%s",
930 host_lookup_msg);
931 return rc; /* DEFER or FAIL */
932 }
933
934host_build_sender_fullhost();
935return OK;
936}
937
938
939
940/*************************************************
941* Handle verification (address & other) *
942*************************************************/
943
944/* This function implements the "verify" condition. It is called when
945encountered in any ACL, because some tests are almost always permitted. Some
946just don't make sense, and always fail (for example, an attempt to test a host
947lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
948
949Arguments:
950 where where called from
951 addr the recipient address that the ACL is handling, or NULL
952 arg the argument of "verify"
953 user_msgptr pointer for user message
954 log_msgptr pointer for log message
955 basic_errno where to put verify errno
956
957Returns: OK verification condition succeeded
958 FAIL verification failed
959 DEFER there was a problem verifying
960 ERROR syntax error
961*/
962
963static int
964acl_verify(int where, address_item *addr, uschar *arg,
965 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
966{
967int sep = '/';
968int callout = -1;
969int callout_overall = -1;
4deaf07d 970int callout_connect = -1;
059ec3d9
PH		 971int verify_options = 0;
972int rc;
973BOOL verify_header_sender = FALSE;
974BOOL defer_ok = FALSE;
975BOOL callout_defer_ok = FALSE;
976BOOL no_details = FALSE;
977address_item *sender_vaddr = NULL;
978uschar *verify_sender_address = NULL;
979uschar *pm_mailfrom = NULL;
980uschar *se_mailfrom = NULL;
596875b3
PH		 981
982/* Some of the verify items have slash-separated options; some do not. Diagnose
983an error if options are given for items that don't expect them. This code has
984now got very message. Refactoring to use a table would be a good idea one day.
985*/
986
987uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 988uschar *list = arg;
989uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
990
991if (ss == NULL) goto BAD_VERIFY;
992
993/* Handle name/address consistency verification in a separate function. */
994
995if (strcmpic(ss, US"reverse_host_lookup") == 0)
996 {
596875b3 997 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 998 if (sender_host_address == NULL) return OK;
999 return acl_verify_reverse(user_msgptr, log_msgptr);
1000 }
1001
1002/* TLS certificate verification is done at STARTTLS time; here we just
1003test whether it was successful or not. (This is for optional verification; for
1004mandatory verification, the connection doesn't last this long.) */
1005
1006if (strcmpic(ss, US"certificate") == 0)
1007 {
596875b3 1008 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1009 if (tls_certificate_verified) return OK;
1010 *user_msgptr = US"no verified certificate";
1011 return FAIL;
1012 }
1013
1014/* We can test the result of optional HELO verification */
1015
596875b3
PH		 1016if (strcmpic(ss, US"helo") == 0)
1017 {
1018 if (slash != NULL) goto NO_OPTIONS;
1019 return helo_verified? OK : FAIL;
1020 }
059ec3d9 1021
596875b3
PH		 1022/* Check that all relevant header lines have the correct syntax. If there is
1023a syntax error, we return details of the error to the sender if configured to
1024send out full details. (But a "message" setting on the ACL can override, as
1025always). */
059ec3d9 1026
596875b3 1027if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1028 {
596875b3 1029 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1030 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1031 {
1032 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1033 "(only possible in ACL for DATA)", acl_wherenames[where]);
1034 return ERROR;
1035 }
596875b3
PH		 1036 rc = verify_check_headers(log_msgptr);
1037 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1038 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1039 return rc;
1040 }
059ec3d9 1041
059ec3d9 1042
596875b3
PH		 1043/* The remaining verification tests check recipient and sender addresses,
1044either from the envelope or from the header. There are a number of
1045slash-separated options that are common to all of them. */
059ec3d9 1046
059ec3d9 1047
596875b3
PH		 1048/* Check that there is at least one verifiable sender address in the relevant
1049header lines. This can be followed by callout and defer options, just like
1050sender and recipient. */
059ec3d9 1051
596875b3
PH		 1052if (strcmpic(ss, US"header_sender") == 0)
1053 {
1054 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1055 {
1056 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1057 "(only possible in ACL for DATA)", acl_wherenames[where]);
1058 return ERROR;
1059 }
1060 verify_header_sender = TRUE;
059ec3d9
PH		 1061 }
1062
1063/* Otherwise, first item in verify argument must be "sender" or "recipient".
1064In the case of a sender, this can optionally be followed by an address to use
1065in place of the actual sender (rare special-case requirement). */
1066
1067else if (strncmpic(ss, US"sender", 6) == 0)
1068 {
1069 uschar *s = ss + 6;
1070 if (where > ACL_WHERE_NOTSMTP)
1071 {
1072 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1073 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1074 acl_wherenames[where]);
1075 return ERROR;
1076 }
1077 if (*s == 0)
1078 verify_sender_address = sender_address;
1079 else
1080 {
1081 while (isspace(*s)) s++;
1082 if (*s++ != '=') goto BAD_VERIFY;
1083 while (isspace(*s)) s++;
1084 verify_sender_address = string_copy(s);
1085 }
1086 }
1087else
1088 {
1089 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1090 if (addr == NULL)
1091 {
1092 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1093 "(only possible for RCPT)", acl_wherenames[where]);
1094 return ERROR;
1095 }
1096 }
1097
596875b3
PH		 1098/* Remaining items are optional; they apply to sender and recipient
1099verification, including "header sender" verification. */
059ec3d9
PH		 1100
1101while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1102 != NULL)
1103 {
1104 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1105 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1106
1107 /* These two old options are left for backwards compatibility */
1108
1109 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1110 {
1111 callout_defer_ok = TRUE;
1112 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1113 }
1114
1115 else if (strcmpic(ss, US"check_postmaster") == 0)
1116 {
1117 pm_mailfrom = US"";
1118 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1119 }
1120
1121 /* The callout option has a number of sub-options, comma separated */
1122
1123 else if (strncmpic(ss, US"callout", 7) == 0)
1124 {
1125 callout = CALLOUT_TIMEOUT_DEFAULT;
1126 ss += 7;
1127 if (*ss != 0)
1128 {
1129 while (isspace(*ss)) ss++;
1130 if (*ss++ == '=')
1131 {
1132 int optsep = ',';
1133 uschar *opt;
1134 uschar buffer[256];
1135 while (isspace(*ss)) ss++;
8e669ac1
PH		 1136
1137 /* This callout option handling code has become a mess as new options
1138 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1139 kind of table-driven thing. */
8e669ac1 1140
059ec3d9
PH		 1141 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1142 != NULL)
1143 {
1144 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1145 else if (strcmpic(opt, US"no_cache") == 0)
1146 verify_options |= vopt_callout_no_cache;
1147 else if (strcmpic(opt, US"random") == 0)
1148 verify_options |= vopt_callout_random;
1149 else if (strcmpic(opt, US"use_sender") == 0)
1150 verify_options |= vopt_callout_recipsender;
1151 else if (strcmpic(opt, US"use_postmaster") == 0)
1152 verify_options |= vopt_callout_recippmaster;
1153 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1154
1155 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1156 {
1157 if (!verify_header_sender)
1158 {
1159 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1160 "callout option only for verify=header_sender (detected in ACL "
1161 "condition \"%s\")", arg);
1162 return ERROR;
1163 }
1164 opt += 8;
1165 while (isspace(*opt)) opt++;
1166 if (*opt++ != '=')
1167 {
1168 *log_msgptr = string_sprintf("'=' expected after "
1169 "\"mailfrom\" in ACL condition \"%s\"", arg);
1170 return ERROR;
1171 }
1172 while (isspace(*opt)) opt++;
1173 se_mailfrom = string_copy(opt);
1174 }
1175
1176 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1177 {
1178 opt += 19;
1179 while (isspace(*opt)) opt++;
1180 if (*opt++ != '=')
1181 {
1182 *log_msgptr = string_sprintf("'=' expected after "
1183 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1184 return ERROR;
1185 }
1186 while (isspace(*opt)) opt++;
1187 pm_mailfrom = string_copy(opt);
1188 }
1189
1190 else if (strncmpic(opt, US"maxwait", 7) == 0)
1191 {
1192 opt += 7;
1193 while (isspace(*opt)) opt++;
1194 if (*opt++ != '=')
1195 {
1196 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1197 "ACL condition \"%s\"", arg);
1198 return ERROR;
1199 }
1200 while (isspace(*opt)) opt++;
1201 callout_overall = readconf_readtime(opt, 0, FALSE);
1202 if (callout_overall < 0)
1203 {
1204 *log_msgptr = string_sprintf("bad time value in ACL condition "
1205 "\"verify %s\"", arg);
1206 return ERROR;
1207 }
1208 }
4deaf07d
PH		 1209 else if (strncmpic(opt, US"connect", 7) == 0)
1210 {
1211 opt += 7;
1212 while (isspace(*opt)) opt++;
1213 if (*opt++ != '=')
1214 {
1215 *log_msgptr = string_sprintf("'=' expected after "
1216 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1217 return ERROR;
1218 }
1219 while (isspace(*opt)) opt++;
1220 callout_connect = readconf_readtime(opt, 0, FALSE);
1221 if (callout_connect < 0)
1222 {
1223 *log_msgptr = string_sprintf("bad time value in ACL condition "
1224 "\"verify %s\"", arg);
1225 return ERROR;
1226 }
1227 }
059ec3d9
PH		 1228 else /* Plain time is callout connect/command timeout */
1229 {
1230 callout = readconf_readtime(opt, 0, FALSE);
1231 if (callout < 0)
1232 {
1233 *log_msgptr = string_sprintf("bad time value in ACL condition "
1234 "\"verify %s\"", arg);
1235 return ERROR;
1236 }
1237 }
1238 }
1239 }
1240 else
1241 {
1242 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1243 "ACL condition \"%s\"", arg);
1244 return ERROR;
1245 }
1246 }
1247 }
1248
1249 /* Option not recognized */
1250
1251 else
1252 {
1253 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1254 "condition \"verify %s\"", ss, arg);
1255 return ERROR;
1256 }
1257 }
1258
1259if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1260 (vopt_callout_recipsender|vopt_callout_recippmaster))
1261 {
1262 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1263 "for a recipient callout";
1264 return ERROR;
1265 }
1266
1267/* Handle sender-in-header verification. Default the user message to the log
1268message if giving out verification details. */
1269
1270if (verify_header_sender)
1271 {
8e669ac1 1272 int verrno;
059ec3d9 1273 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1274 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1275 &verrno);
1276 if (rc != OK)
8e669ac1 1277 {
fe5b5d0b
PH		 1278 *basic_errno = verrno;
1279 if (smtp_return_error_details)
1280 {
1281 if (*user_msgptr == NULL && *log_msgptr != NULL)
1282 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1283 if (rc == DEFER) acl_temp_details = TRUE;
1284 }
8e669ac1 1285 }
059ec3d9
PH		 1286 }
1287
1288/* Handle a sender address. The default is to verify *the* sender address, but
1289optionally a different address can be given, for special requirements. If the
1290address is empty, we are dealing with a bounce message that has no sender, so
1291we cannot do any checking. If the real sender address gets rewritten during
1292verification (e.g. DNS widening), set the flag to stop it being rewritten again
1293during message reception.
1294
1295A list of verified "sender" addresses is kept to try to avoid doing to much
1296work repetitively when there are multiple recipients in a message and they all
1297require sender verification. However, when callouts are involved, it gets too
1298complicated because different recipients may require different callout options.
1299Therefore, we always do a full sender verify when any kind of callout is
1300specified. Caching elsewhere, for instance in the DNS resolver and in the
1301callout handling, should ensure that this is not terribly inefficient. */
1302
1303else if (verify_sender_address != NULL)
1304 {
1305 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1306 != 0)
1307 {
1308 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1309 "sender verify callout";
1310 return ERROR;
1311 }
1312
1313 sender_vaddr = verify_checked_sender(verify_sender_address);
1314 if (sender_vaddr != NULL && /* Previously checked */
1315 callout <= 0) /* No callout needed this time */
1316 {
1317 /* If the "routed" flag is set, it means that routing worked before, so
1318 this check can give OK (the saved return code value, if set, belongs to a
1319 callout that was done previously). If the "routed" flag is not set, routing
1320 must have failed, so we use the saved return code. */
1321
1322 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1323 {
1324 rc = sender_vaddr->special_action;
1325 *basic_errno = sender_vaddr->basic_errno;
1326 }
1327 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1328 }
1329
1330 /* Do a new verification, and cache the result. The cache is used to avoid
1331 verifying the sender multiple times for multiple RCPTs when callouts are not
1332 specified (see comments above).
1333
1334 The cache is also used on failure to give details in response to the first
1335 RCPT that gets bounced for this reason. However, this can be suppressed by
1336 the no_details option, which sets the flag that says "this detail has already
1337 been sent". The cache normally contains just one address, but there may be
1338 more in esoteric circumstances. */
1339
1340 else
1341 {
1342 BOOL routed = TRUE;
2a3eea10 1343 uschar *save_address_data = deliver_address_data;
8e669ac1 1344
059ec3d9
PH		 1345 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1346 if (no_details) setflag(sender_vaddr, af_sverify_told);
1347 if (verify_sender_address[0] != 0)
1348 {
1349 /* If this is the real sender address, save the unrewritten version
1350 for use later in receive. Otherwise, set a flag so that rewriting the
1351 sender in verify_address() does not update sender_address. */
1352
1353 if (verify_sender_address == sender_address)
1354 sender_address_unrewritten = sender_address;
1355 else
1356 verify_options |= vopt_fake_sender;
1357
1358 /* The recipient, qualify, and expn options are never set in
1359 verify_options. */
1360
1361 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1362 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1363
1364 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1365
1366 if (rc == OK)
1367 {
1368 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1369 {
1370 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1371 verify_sender_address, sender_vaddr->address);
1372 }
1373 else
1374 {
1375 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1376 verify_sender_address);
1377 }
1378 }
1379 else *basic_errno = sender_vaddr->basic_errno;
1380 }
1381 else rc = OK; /* Null sender */
1382
1383 /* Cache the result code */
1384
1385 if (routed) setflag(sender_vaddr, af_verify_routed);
1386 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1387 sender_vaddr->special_action = rc;
1388 sender_vaddr->next = sender_verified_list;
1389 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1390
1391 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1392 the sender verification. */
8e669ac1 1393
2a3eea10 1394 deliver_address_data = save_address_data;
059ec3d9 1395 }
8e669ac1 1396
2a3eea10
PH		 1397 /* Put the sender address_data value into $sender_address_data */
1398
8e669ac1 1399 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1400 }
1401
1402/* A recipient address just gets a straightforward verify; again we must handle
1403the DEFER overrides. */
1404
1405else
1406 {
1407 address_item addr2;
1408
1409 /* We must use a copy of the address for verification, because it might
1410 get rewritten. */
1411
1412 addr2 = *addr;
1413 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1414 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1415 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1416
059ec3d9 1417 *log_msgptr = addr2.message;
8e669ac1 1418 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1419 addr2.user_message : addr2.message;
059ec3d9
PH		 1420 *basic_errno = addr2.basic_errno;
1421
1422 /* Make $address_data visible */
1423 deliver_address_data = addr2.p.address_data;
1424 }
1425
1426/* We have a result from the relevant test. Handle defer overrides first. */
1427
1428if (rc == DEFER && (defer_ok ||
1429 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1430 {
1431 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1432 defer_ok? "defer_ok" : "callout_defer_ok");
1433 rc = OK;
1434 }
1435
1436/* If we've failed a sender, set up a recipient message, and point
1437sender_verified_failed to the address item that actually failed. */
1438
1439if (rc != OK && verify_sender_address != NULL)
1440 {
1441 if (rc != DEFER)
1442 {
1443 *log_msgptr = *user_msgptr = US"Sender verify failed";
1444 }
1445 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1446 {
1447 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1448 }
1449 else
1450 {
1451 *log_msgptr = US"Could not complete sender verify callout";
1452 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1453 *log_msgptr;
1454 }
1455
1456 sender_verified_failed = sender_vaddr;
1457 }
1458
1459/* Verifying an address messes up the values of $domain and $local_part,
1460so reset them before returning if this is a RCPT ACL. */
1461
1462if (addr != NULL)
1463 {
1464 deliver_domain = addr->domain;
1465 deliver_localpart = addr->local_part;
1466 }
1467return rc;
1468
1469/* Syntax errors in the verify argument come here. */
1470
1471BAD_VERIFY:
1472*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 1473 "\"helo\", \"header_syntax\", \"header_sender\" or "
1474 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 1475 "\"verify %s\"", arg);
1476return ERROR;
596875b3
PH		 1477
1478/* Options supplied when not allowed come here */
1479
1480NO_OPTIONS:
1481*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1482 "(this verify item has no options)", arg);
1483return ERROR;
059ec3d9
PH		 1484}
1485
1486
1487
1488
1489/*************************************************
1490* Check argument for control= modifier *
1491*************************************************/
1492
1493/* Called from acl_check_condition() below
1494
1495Arguments:
1496 arg the argument string for control=
1497 pptr set to point to the terminating character
1498 where which ACL we are in
1499 log_msgptr for error messages
1500
1501Returns: CONTROL_xxx value
1502*/
1503
1504static int
1505decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1506{
1507int len;
1508control_def *d;
1509
1510for (d = controls_list;
1511 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1512 d++)
1513 {
1514 len = Ustrlen(d->name);
1515 if (Ustrncmp(d->name, arg, len) == 0) break;
1516 }
1517
1518if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1519 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1520 {
1521 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1522 return CONTROL_ERROR;
1523 }
1524
059ec3d9
PH		 1525*pptr = arg + len;
1526return d->value;
1527}
1528
1529
1530
1531/*************************************************
1532* Handle conditions/modifiers on an ACL item *
1533*************************************************/
1534
1535/* Called from acl_check() below.
1536
1537Arguments:
1538 verb ACL verb
1539 cb ACL condition block - if NULL, result is OK
1540 where where called from
1541 addr the address being checked for RCPT, or NULL
1542 level the nesting level
1543 epp pointer to pass back TRUE if "endpass" encountered
1544 (applies only to "accept" and "discard")
1545 user_msgptr user message pointer
1546 log_msgptr log message pointer
1547 basic_errno pointer to where to put verify error
1548
1549Returns: OK - all conditions are met
1550 DISCARD - an "acl" condition returned DISCARD - only allowed
1551 for "accept" or "discard" verbs
1552 FAIL - at least one condition fails
1553 FAIL_DROP - an "acl" condition returned FAIL_DROP
1554 DEFER - can't tell at the moment (typically, lookup defer,
1555 but can be temporary callout problem)
1556 ERROR - ERROR from nested ACL or expansion failure or other
1557 error
1558*/
1559
1560static int
1561acl_check_condition(int verb, acl_condition_block *cb, int where,
1562 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1563 uschar **log_msgptr, int *basic_errno)
1564{
1565uschar *user_message = NULL;
1566uschar *log_message = NULL;
1567uschar *p;
1568int rc = OK;
8523533c
TK		 1569#ifdef WITH_CONTENT_SCAN
1570int sep = '/';
1571#endif
059ec3d9
PH		 1572
1573for (; cb != NULL; cb = cb->next)
1574 {
1575 uschar *arg;
8e669ac1 1576 int control_type;
059ec3d9
PH		 1577
1578 /* The message and log_message items set up messages to be used in
1579 case of rejection. They are expanded later. */
1580
1581 if (cb->type == ACLC_MESSAGE)
1582 {
1583 user_message = cb->arg;
1584 continue;
1585 }
1586
1587 if (cb->type == ACLC_LOG_MESSAGE)
1588 {
1589 log_message = cb->arg;
1590 continue;
1591 }
1592
1593 /* The endpass "condition" just sets a flag to show it occurred. This is
1594 checked at compile time to be on an "accept" or "discard" item. */
1595
1596 if (cb->type == ACLC_ENDPASS)
1597 {
1598 *epp = TRUE;
1599 continue;
1600 }
1601
1602 /* For other conditions and modifiers, the argument is expanded now for some
1603 of them, but not for all, because expansion happens down in some lower level
1604 checking functions in some cases. */
1605
1606 if (cond_expand_at_top[cb->type])
1607 {
1608 arg = expand_string(cb->arg);
1609 if (arg == NULL)
1610 {
1611 if (expand_string_forcedfail) continue;
1612 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1613 cb->arg, expand_string_message);
1614 return search_find_defer? DEFER : ERROR;
1615 }
1616 }
1617 else arg = cb->arg;
1618
1619 /* Show condition, and expanded condition if it's different */
1620
1621 HDEBUG(D_acl)
1622 {
1623 int lhswidth = 0;
1624 debug_printf("check %s%s %n",
1625 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1626 conditions[cb->type], &lhswidth);
1627
1628 if (cb->type == ACLC_SET)
1629 {
1630 int n = cb->u.varnumber;
1631 int t = (n < ACL_C_MAX)? 'c' : 'm';
1632 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1633 debug_printf("acl_%c%d ", t, n);
1634 lhswidth += 7;
1635 }
1636
1637 debug_printf("= %s\n", cb->arg);
1638
1639 if (arg != cb->arg)
1640 debug_printf("%.*s= %s\n", lhswidth,
1641 US" ", CS arg);
1642 }
1643
1644 /* Check that this condition makes sense at this time */
1645
1646 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1647 {
1648 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1649 cond_modifiers[cb->type]? "use" : "test",
1650 conditions[cb->type], acl_wherenames[where]);
1651 return ERROR;
1652 }
1653
1654 /* Run the appropriate test for each condition, or take the appropriate
1655 action for the remaining modifiers. */
1656
1657 switch(cb->type)
1658 {
1659 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1660 "discard" verb. */
1661
1662 case ACLC_ACL:
1663 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1664 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1665 {
1666 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1667 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1668 verbs[verb]);
1669 return ERROR;
1670 }
1671 break;
1672
1673 case ACLC_AUTHENTICATED:
1674 rc = (sender_host_authenticated == NULL)? FAIL :
1675 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1676 TRUE, NULL);
1677 break;
1678
8523533c
TK		 1679#ifdef EXPERIMENTAL_BRIGHTMAIL
1680 case ACLC_BMI_OPTIN:
1681 {
1682 int old_pool = store_pool;
1683 store_pool = POOL_PERM;
1684 bmi_current_optin = string_copy(arg);
1685 store_pool = old_pool;
1686 }
1687 break;
1688#endif
1689
059ec3d9
PH		 1690 case ACLC_CONDITION:
1691 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1692 rc = (Uatoi(arg) == 0)? FAIL : OK;
1693 else
1694 rc = (strcmpic(arg, US"no") == 0 ||
1695 strcmpic(arg, US"false") == 0)? FAIL :
1696 (strcmpic(arg, US"yes") == 0 ||
1697 strcmpic(arg, US"true") == 0)? OK : DEFER;
1698 if (rc == DEFER)
1699 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1700 break;
1701
1702 case ACLC_CONTROL:
c5fcb476
PH		 1703 control_type = decode_control(arg, &p, where, log_msgptr);
1704
8523533c 1705 /* Check if this control makes sense at this time */
c5fcb476
PH		 1706
1707 if ((control_forbids[control_type] & (1 << where)) != 0)
1708 {
1709 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1710 controls[control_type], acl_wherenames[where]);
1711 return ERROR;
8e669ac1 1712 }
c5fcb476
PH		 1713
1714 switch(control_type)
059ec3d9 1715 {
8523533c
TK		 1716#ifdef EXPERIMENTAL_BRIGHTMAIL
1717 case CONTROL_BMI_RUN:
1718 bmi_run = 1;
1719 break;
1720#endif
fb2274d4
TK		 1721#ifdef EXPERIMENTAL_DOMAINKEYS
1722 case CONTROL_DK_VERIFY:
1723 dk_do_verify = 1;
1724 break;
1725#endif
059ec3d9
PH		 1726 case CONTROL_ERROR:
1727 return ERROR;
1728
1729 case CONTROL_CASEFUL_LOCAL_PART:
1730 deliver_localpart = addr->cc_local_part;
1731 break;
1732
1733 case CONTROL_CASELOWER_LOCAL_PART:
1734 deliver_localpart = addr->lc_local_part;
1735 break;
1736
1737 case CONTROL_ENFORCE_SYNC:
1738 smtp_enforce_sync = TRUE;
1739 break;
1740
1741 case CONTROL_NO_ENFORCE_SYNC:
1742 smtp_enforce_sync = FALSE;
1743 break;
1744
8523533c
TK		 1745#ifdef WITH_CONTENT_SCAN
1746 case CONTROL_NO_MBOX_UNSPOOL:
1747 no_mbox_unspool = TRUE;
1748 break;
1749#endif
1750
059ec3d9
PH		 1751 case CONTROL_NO_MULTILINE:
1752 no_multiline_responses = TRUE;
1753 break;
1754
8523533c
TK		 1755 case CONTROL_FAKEREJECT:
1756 fake_reject = TRUE;
1757 if (*p == '/')
8e669ac1 1758 {
8523533c 1759 uschar *pp = p + 1;
8e669ac1 1760 while (*pp != 0) pp++;
8523533c
TK		 1761 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1762 p = pp;
1763 }
1764 else
1765 {
1766 /* Explicitly reset to default string */
dc082449 1767 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 1768 }
1769 break;
8523533c 1770
059ec3d9
PH		 1771 case CONTROL_FREEZE:
1772 deliver_freeze = TRUE;
1773 deliver_frozen_at = time(NULL);
1774 break;
1775
1776 case CONTROL_QUEUE_ONLY:
1777 queue_only_policy = TRUE;
1778 break;
1779
1780 case CONTROL_SUBMISSION:
1781 submission_mode = TRUE;
69358f02 1782 while (*p == '/')
8e669ac1 1783 {
69358f02
PH		 1784 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1785 {
1786 p += 14;
1787 active_local_sender_retain = TRUE;
8e669ac1
PH		 1788 active_local_from_check = FALSE;
1789 }
69358f02
PH		 1790 else if (Ustrncmp(p, "/domain=", 8) == 0)
1791 {
1792 uschar *pp = p + 8;
8e669ac1 1793 while (*pp != 0 && *pp != '/') pp++;
69358f02 1794 submission_domain = string_copyn(p+8, pp-p);
8e669ac1 1795 p = pp;
69358f02 1796 }
8e669ac1
PH		 1797 else break;
1798 }
69358f02 1799 if (*p != 0)
059ec3d9 1800 {
69358f02 1801 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 1802 return ERROR;
1803 }
1804 break;
1805 }
1806 break;
1807
8523533c
TK		 1808#ifdef WITH_CONTENT_SCAN
1809 case ACLC_DECODE:
1810 rc = mime_decode(&arg);
1811 break;
1812#endif
1813
059ec3d9
PH		 1814 case ACLC_DELAY:
1815 {
1816 int delay = readconf_readtime(arg, 0, FALSE);
1817 if (delay < 0)
1818 {
1819 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1820 "modifier: \"%s\" is not a time value", arg);
1821 return ERROR;
1822 }
1823 else
1824 {
1825 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1826 delay);
1827 if (host_checking)
1828 {
1829 HDEBUG(D_acl)
1830 debug_printf("delay skipped in -bh checking mode\n");
1831 }
8e669ac1 1832 else
86b8287f
PH		 1833 {
1834 while (delay > 0) delay = sleep(delay);
8e669ac1 1835 }
059ec3d9
PH		 1836 }
1837 }
1838 break;
1839
8523533c
TK		 1840#ifdef WITH_OLD_DEMIME
1841 case ACLC_DEMIME:
1842 rc = demime(&arg);
1843 break;
1844#endif
1845
fb2274d4
TK		 1846#ifdef EXPERIMENTAL_DOMAINKEYS
1847 case ACLC_DK_DOMAIN_SOURCE:
1848 if (dk_verify_block == NULL) { rc = FAIL; break; };
1849 /* check header source of domain against given string */
1850 switch (dk_verify_block->address_source) {
1851 case DK_EXIM_ADDRESS_FROM_FROM:
1852 rc = match_isinlist(US"from", &arg, 0, NULL,
1853 NULL, MCL_STRING, TRUE, NULL);
1854 break;
1855 case DK_EXIM_ADDRESS_FROM_SENDER:
1856 rc = match_isinlist(US"sender", &arg, 0, NULL,
1857 NULL, MCL_STRING, TRUE, NULL);
1858 break;
1859 case DK_EXIM_ADDRESS_NONE:
1860 rc = match_isinlist(US"none", &arg, 0, NULL,
1861 NULL, MCL_STRING, TRUE, NULL);
1862 break;
1863 }
1864 break;
1865 case ACLC_DK_POLICY:
1866 if (dk_verify_block == NULL) { rc = FAIL; break; };
1867 /* check policy against given string, default FAIL */
1868 rc = FAIL;
1869 if (dk_verify_block->signsall)
1870 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1871 NULL, MCL_STRING, TRUE, NULL);
1872 if (dk_verify_block->testing)
1873 rc = match_isinlist(US"testing", &arg, 0, NULL,
1874 NULL, MCL_STRING, TRUE, NULL);
1875 break;
1876 case ACLC_DK_SENDER_DOMAINS:
1877 if (dk_verify_block == NULL) { rc = FAIL; break; };
1878 if (dk_verify_block->domain != NULL)
1879 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1880 NULL, MCL_DOMAIN, TRUE, NULL);
1881 else rc = FAIL;
1882 break;
1883 case ACLC_DK_SENDER_LOCAL_PARTS:
1884 if (dk_verify_block == NULL) { rc = FAIL; break; };
1885 if (dk_verify_block->local_part != NULL)
1886 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1887 NULL, MCL_LOCALPART, TRUE, NULL);
1888 else rc = FAIL;
1889 break;
1890 case ACLC_DK_SENDERS:
1891 if (dk_verify_block == NULL) { rc = FAIL; break; };
1892 if (dk_verify_block->address != NULL)
1893 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1894 else rc = FAIL;
1895 break;
1896 case ACLC_DK_STATUS:
1897 if (dk_verify_block == NULL) { rc = FAIL; break; };
1898 if (dk_verify_block->result > 0) {
1899 switch(dk_verify_block->result) {
1900 case DK_EXIM_RESULT_BAD_FORMAT:
1901 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1902 NULL, MCL_STRING, TRUE, NULL);
1903 break;
1904 case DK_EXIM_RESULT_NO_KEY:
1905 rc = match_isinlist(US"no key", &arg, 0, NULL,
1906 NULL, MCL_STRING, TRUE, NULL);
1907 break;
1908 case DK_EXIM_RESULT_NO_SIGNATURE:
1909 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1910 NULL, MCL_STRING, TRUE, NULL);
1911 break;
1912 case DK_EXIM_RESULT_REVOKED:
1913 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1914 NULL, MCL_STRING, TRUE, NULL);
1915 break;
1916 case DK_EXIM_RESULT_NON_PARTICIPANT:
1917 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1918 NULL, MCL_STRING, TRUE, NULL);
1919 break;
1920 case DK_EXIM_RESULT_GOOD:
1921 rc = match_isinlist(US"good", &arg, 0, NULL,
1922 NULL, MCL_STRING, TRUE, NULL);
1923 break;
1924 case DK_EXIM_RESULT_BAD:
1925 rc = match_isinlist(US"bad", &arg, 0, NULL,
1926 NULL, MCL_STRING, TRUE, NULL);
1927 break;
1928 }
1929 }
1930 break;
1931#endif
1932
059ec3d9
PH		 1933 case ACLC_DNSLISTS:
1934 rc = verify_check_dnsbl(&arg);
1935 break;
1936
1937 case ACLC_DOMAINS:
1938 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1939 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1940 break;
1941
1942 /* The value in tls_cipher is the full cipher name, for example,
1943 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1944 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1945 what may in practice come out of the SSL library - which at the time of
1946 writing is poorly documented. */
1947
1948 case ACLC_ENCRYPTED:
1949 if (tls_cipher == NULL) rc = FAIL; else
1950 {
1951 uschar *endcipher = NULL;
1952 uschar *cipher = Ustrchr(tls_cipher, ':');
1953 if (cipher == NULL) cipher = tls_cipher; else
1954 {
1955 endcipher = Ustrchr(++cipher, ':');
1956 if (endcipher != NULL) *endcipher = 0;
1957 }
1958 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1959 if (endcipher != NULL) *endcipher = ':';
1960 }
1961 break;
1962
1963 /* Use verify_check_this_host() instead of verify_check_host() so that
1964 we can pass over &host_data to catch any looked up data. Once it has been
1965 set, it retains its value so that it's still there if another ACL verb
1966 comes through here and uses the cache. However, we must put it into
1967 permanent store in case it is also expected to be used in a subsequent
1968 message in the same SMTP connection. */
1969
1970 case ACLC_HOSTS:
1971 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1972 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1973 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1974 break;
1975
1976 case ACLC_LOCAL_PARTS:
1977 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1978 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1979 &deliver_localpart_data);
1980 break;
1981
1982 case ACLC_LOGWRITE:
1983 {
1984 int logbits = 0;
1985 uschar *s = arg;
1986 if (*s == ':')
1987 {
1988 s++;
1989 while (*s != ':')
1990 {
1991 if (Ustrncmp(s, "main", 4) == 0)
1992 { logbits |= LOG_MAIN; s += 4; }
1993 else if (Ustrncmp(s, "panic", 5) == 0)
1994 { logbits |= LOG_PANIC; s += 5; }
1995 else if (Ustrncmp(s, "reject", 6) == 0)
1996 { logbits |= LOG_REJECT; s += 6; }
1997 else
1998 {
1999 logbits = LOG_MAIN|LOG_PANIC;
2000 s = string_sprintf(":unknown log name in \"%s\" in "
2001 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2002 }
2003 if (*s == ',') s++;
2004 }
2005 s++;
2006 }
2007 while (isspace(*s)) s++;
2008 if (logbits == 0) logbits = LOG_MAIN;
2009 log_write(0, logbits, "%s", string_printing(s));
2010 }
2011 break;
8e669ac1 2012
8523533c
TK		 2013#ifdef WITH_CONTENT_SCAN
2014 case ACLC_MALWARE:
2015 {
2016 /* Seperate the regular expression and any optional parameters. */
2017 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2018 /* Run the malware backend. */
2019 rc = malware(&ss);
2020 /* Modify return code based upon the existance of options. */
2021 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2022 != NULL) {
2023 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2024 {
2025 /* FAIL so that the message is passed to the next ACL */
2026 rc = FAIL;
2027 }
2028 }
2029 }
2030 break;
2031
2032 case ACLC_MIME_REGEX:
2033 rc = mime_regex(&arg);
2034 break;
2035#endif
059ec3d9
PH		 2036
2037 case ACLC_RECIPIENTS:
2038 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2039 &recipient_data);
2040 break;
2041
8523533c
TK		 2042#ifdef WITH_CONTENT_SCAN
2043 case ACLC_REGEX:
2044 rc = regex(&arg);
2045 break;
2046#endif
2047
059ec3d9
PH		 2048 case ACLC_SENDER_DOMAINS:
2049 {
2050 uschar *sdomain;
2051 sdomain = Ustrrchr(sender_address, '@');
2052 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2053 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2054 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2055 }
2056 break;
2057
2058 case ACLC_SENDERS:
2059 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2060 sender_address_cache, -1, 0, &sender_data);
2061 break;
2062
2063 /* Connection variables must persist forever */
2064
2065 case ACLC_SET:
2066 {
2067 int old_pool = store_pool;
2068 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2069 acl_var[cb->u.varnumber] = string_copy(arg);
2070 store_pool = old_pool;
2071 }
2072 break;
2073
8523533c
TK		 2074#ifdef WITH_CONTENT_SCAN
2075 case ACLC_SPAM:
2076 {
2077 /* Seperate the regular expression and any optional parameters. */
2078 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2079 /* Run the spam backend. */
2080 rc = spam(&ss);
2081 /* Modify return code based upon the existance of options. */
2082 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2083 != NULL) {
2084 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2085 {
2086 /* FAIL so that the message is passed to the next ACL */
2087 rc = FAIL;
2088 }
2089 }
2090 }
2091 break;
2092#endif
2093
2094#ifdef EXPERIMENTAL_SPF
2095 case ACLC_SPF:
2096 rc = spf_process(&arg, sender_address);
2097 break;
2098#endif
2099
059ec3d9
PH		 2100 /* If the verb is WARN, discard any user message from verification, because
2101 such messages are SMTP responses, not header additions. The latter come
2102 only from explicit "message" modifiers. */
2103
2104 case ACLC_VERIFY:
2105 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2106 if (verb == ACL_WARN) *user_msgptr = NULL;
2107 break;
2108
2109 default:
2110 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2111 "condition %d", cb->type);
2112 break;
2113 }
2114
2115 /* If a condition was negated, invert OK/FAIL. */
2116
2117 if (!cond_modifiers[cb->type] && cb->u.negated)
2118 {
2119 if (rc == OK) rc = FAIL;
2120 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2121 }
2122
2123 if (rc != OK) break; /* Conditions loop */
2124 }
2125
2126
2127/* If the result is the one for which "message" and/or "log_message" are used,
2128handle the values of these options. Most verbs have but a single return for
2129which the messages are relevant, but for "discard", it's useful to have the log
2130message both when it succeeds and when it fails. Also, for an "accept" that
2131appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2132and "warn" are permitted in that ACL, we don't need to test the verb.
2133
2134These modifiers act in different ways:
2135
2136"message" is a user message that will be included in an SMTP response. Unless
2137it is empty, it overrides any previously set user message.
2138
2139"log_message" is a non-user message, and it adds to any existing non-user
2140message that is already set.
2141
2142If there isn't a log message set, we make it the same as the user message. */
2143
2144if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2145 (verb == ACL_DISCARD && rc == OK) ||
2146 (where == ACL_WHERE_QUIT))
2147 {
2148 uschar *expmessage;
2149
2150 /* If the verb is "warn", messages generated by conditions (verification or
2151 nested ACLs) are discarded. Only messages specified at this level are used.
2152 However, the value of an existing message is available in $acl_verify_message
2153 during expansions. */
2154
2155 uschar *old_user_msgptr = *user_msgptr;
2156 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2157
2158 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2159
2160 if (user_message != NULL)
2161 {
2162 acl_verify_message = old_user_msgptr;
2163 expmessage = expand_string(user_message);
2164 if (expmessage == NULL)
2165 {
2166 if (!expand_string_forcedfail)
2167 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2168 user_message, expand_string_message);
2169 }
2170 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2171 }
2172
2173 if (log_message != NULL)
2174 {
2175 acl_verify_message = old_log_msgptr;
2176 expmessage = expand_string(log_message);
2177 if (expmessage == NULL)
2178 {
2179 if (!expand_string_forcedfail)
2180 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2181 log_message, expand_string_message);
2182 }
2183 else if (expmessage[0] != 0)
2184 {
2185 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2186 string_sprintf("%s: %s", expmessage, *log_msgptr);
2187 }
2188 }
2189
2190 /* If no log message, default it to the user message */
2191
2192 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2193 }
2194
2195acl_verify_message = NULL;
2196return rc;
2197}
2198
2199
2200
2201
2202
2203/*************************************************
2204* Get line from a literal ACL *
2205*************************************************/
2206
2207/* This function is passed to acl_read() in order to extract individual lines
2208of a literal ACL, which we access via static pointers. We can destroy the
2209contents because this is called only once (the compiled ACL is remembered).
2210
2211This code is intended to treat the data in the same way as lines in the main
2212Exim configuration file. That is:
2213
2214 . Leading spaces are ignored.
2215
2216 . A \ at the end of a line is a continuation - trailing spaces after the \
2217 are permitted (this is because I don't believe in making invisible things
2218 significant). Leading spaces on the continued part of a line are ignored.
2219
2220 . Physical lines starting (significantly) with # are totally ignored, and
2221 may appear within a sequence of backslash-continued lines.
2222
2223 . Blank lines are ignored, but will end a sequence of continuations.
2224
2225Arguments: none
2226Returns: a pointer to the next line
2227*/
2228
2229
2230static uschar *acl_text; /* Current pointer in the text */
2231static uschar *acl_text_end; /* Points one past the terminating '0' */
2232
2233
2234static uschar *
2235acl_getline(void)
2236{
2237uschar *yield;
2238
2239/* This loop handles leading blank lines and comments. */
2240
2241for(;;)
2242 {
2243 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2244 if (*acl_text == 0) return NULL; /* No more data */
2245 yield = acl_text; /* Potential data line */
2246
2247 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2248
2249 /* If we hit the end before a newline, we have the whole logical line. If
2250 it's a comment, there's no more data to be given. Otherwise, yield it. */
2251
2252 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2253
2254 /* After reaching a newline, end this loop if the physical line does not
2255 start with '#'. If it does, it's a comment, and the loop continues. */
2256
2257 if (*yield != '#') break;
2258 }
2259
2260/* This loop handles continuations. We know we have some real data, ending in
2261newline. See if there is a continuation marker at the end (ignoring trailing
2262white space). We know that *yield is not white space, so no need to test for
2263cont > yield in the backwards scanning loop. */
2264
2265for(;;)
2266 {
2267 uschar *cont;
2268 for (cont = acl_text - 1; isspace(*cont); cont--);
2269
2270 /* If no continuation follows, we are done. Mark the end of the line and
2271 return it. */
2272
2273 if (*cont != '\\')
2274 {
2275 *acl_text++ = 0;
2276 return yield;
2277 }
2278
2279 /* We have encountered a continuation. Skip over whitespace at the start of
2280 the next line, and indeed the whole of the next line or lines if they are
2281 comment lines. */
2282
2283 for (;;)
2284 {
2285 while (*(++acl_text) == ' ' || *acl_text == '\t');
2286 if (*acl_text != '#') break;
2287 while (*(++acl_text) != 0 && *acl_text != '\n');
2288 }
2289
2290 /* We have the start of a continuation line. Move all the rest of the data
2291 to join onto the previous line, and then find its end. If the end is not a
2292 newline, we are done. Otherwise loop to look for another continuation. */
2293
2294 memmove(cont, acl_text, acl_text_end - acl_text);
2295 acl_text_end -= acl_text - cont;
2296 acl_text = cont;
2297 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2298 if (*acl_text == 0) return yield;
2299 }
2300
2301/* Control does not reach here */
2302}
2303
2304
2305
2306
2307
2308/*************************************************
2309* Check access using an ACL *
2310*************************************************/
2311
2312/* This function is called from address_check. It may recurse via
2313acl_check_condition() - hence the use of a level to stop looping. The ACL is
2314passed as a string which is expanded. A forced failure implies no access check
2315is required. If the result is a single word, it is taken as the name of an ACL
2316which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2317text, complete with newlines, and parsed as such. In both cases, the ACL check
2318is then run. This function uses an auxiliary function for acl_read() to call
2319for reading individual lines of a literal ACL. This is acl_getline(), which
2320appears immediately above.
2321
2322Arguments:
2323 where where called from
2324 addr address item when called from RCPT; otherwise NULL
2325 s the input string; NULL is the same as an empty ACL => DENY
2326 level the nesting level
2327 user_msgptr where to put a user error (for SMTP response)
2328 log_msgptr where to put a logging message (not for SMTP response)
2329
2330Returns: OK access is granted
2331 DISCARD access is apparently granted...
2332 FAIL access is denied
2333 FAIL_DROP access is denied; drop the connection
2334 DEFER can't tell at the moment
2335 ERROR disaster
2336*/
2337
2338static int
2339acl_check_internal(int where, address_item *addr, uschar *s, int level,
2340 uschar **user_msgptr, uschar **log_msgptr)
2341{
2342int fd = -1;
2343acl_block *acl = NULL;
2344uschar *acl_name = US"inline ACL";
2345uschar *ss;
2346
2347/* Catch configuration loops */
2348
2349if (level > 20)
2350 {
2351 *log_msgptr = US"ACL nested too deep: possible loop";
2352 return ERROR;
2353 }
2354
2355if (s == NULL)
2356 {
2357 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2358 return FAIL;
2359 }
2360
2361/* At top level, we expand the incoming string. At lower levels, it has already
2362been expanded as part of condition processing. */
2363
2364if (level == 0)
2365 {
2366 ss = expand_string(s);
2367 if (ss == NULL)
2368 {
2369 if (expand_string_forcedfail) return OK;
2370 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2371 expand_string_message);
2372 return ERROR;
2373 }
2374 }
2375else ss = s;
2376
2377while (isspace(*ss))ss++;
2378
2379/* If we can't find a named ACL, the default is to parse it as an inline one.
2380(Unless it begins with a slash; non-existent files give rise to an error.) */
2381
2382acl_text = ss;
2383
2384/* Handle the case of a string that does not contain any spaces. Look for a
2385named ACL among those read from the configuration, or a previously read file.
2386It is possible that the pointer to the ACL is NULL if the configuration
2387contains a name with no data. If not found, and the text begins with '/',
2388read an ACL from a file, and save it so it can be re-used. */
2389
2390if (Ustrchr(ss, ' ') == NULL)
2391 {
2392 tree_node *t = tree_search(acl_anchor, ss);
2393 if (t != NULL)
2394 {
2395 acl = (acl_block *)(t->data.ptr);
2396 if (acl == NULL)
2397 {
2398 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2399 return FAIL;
2400 }
2401 acl_name = string_sprintf("ACL \"%s\"", ss);
2402 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2403 }
2404
2405 else if (*ss == '/')
2406 {
2407 struct stat statbuf;
2408 fd = Uopen(ss, O_RDONLY, 0);
2409 if (fd < 0)
2410 {
2411 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2412 strerror(errno));
2413 return ERROR;
2414 }
2415
2416 if (fstat(fd, &statbuf) != 0)
2417 {
2418 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2419 strerror(errno));
2420 return ERROR;
2421 }
2422
2423 acl_text = store_get(statbuf.st_size + 1);
2424 acl_text_end = acl_text + statbuf.st_size + 1;
2425
2426 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2427 {
2428 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2429 ss, strerror(errno));
2430 return ERROR;
2431 }
2432 acl_text[statbuf.st_size] = 0;
2433 close(fd);
2434
2435 acl_name = string_sprintf("ACL \"%s\"", ss);
2436 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2437 }
2438 }
2439
2440/* Parse an ACL that is still in text form. If it came from a file, remember it
2441in the ACL tree, having read it into the POOL_PERM store pool so that it
2442persists between multiple messages. */
2443
2444if (acl == NULL)
2445 {
2446 int old_pool = store_pool;
2447 if (fd >= 0) store_pool = POOL_PERM;
2448 acl = acl_read(acl_getline, log_msgptr);
2449 store_pool = old_pool;
2450 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2451 if (fd >= 0)
2452 {
2453 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2454 Ustrcpy(t->name, ss);
2455 t->data.ptr = acl;
2456 (void)tree_insertnode(&acl_anchor, t);
2457 }
2458 }
2459
2460/* Now we have an ACL to use. It's possible it may be NULL. */
2461
2462while (acl != NULL)
2463 {
2464 int cond;
2465 int basic_errno = 0;
2466 BOOL endpass_seen = FALSE;
2467
2468 *log_msgptr = *user_msgptr = NULL;
2469 acl_temp_details = FALSE;
2470
2471 if (where == ACL_WHERE_QUIT &&
2472 acl->verb != ACL_ACCEPT &&
2473 acl->verb != ACL_WARN)
2474 {
2475 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2476 verbs[acl->verb]);
2477 return ERROR;
2478 }
2479
2480 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2481
2482 /* Clear out any search error message from a previous check before testing
2483 this condition. */
2484
2485 search_error_message = NULL;
2486 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2487 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2488
2489 /* Handle special returns: DEFER causes a return except on a WARN verb;
2490 ERROR always causes a return. */
2491
2492 switch (cond)
2493 {
2494 case DEFER:
2495 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2496 if (basic_errno != ERRNO_CALLOUTDEFER)
2497 {
2498 if (search_error_message != NULL && *search_error_message != 0)
2499 *log_msgptr = search_error_message;
2500 if (smtp_return_error_details) acl_temp_details = TRUE;
2501 }
2502 else
2503 {
2504 acl_temp_details = TRUE;
2505 }
2506 if (acl->verb != ACL_WARN) return DEFER;
2507 break;
2508
2509 default: /* Paranoia */
2510 case ERROR:
2511 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2512 return ERROR;
2513
2514 case OK:
2515 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2516 verbs[acl->verb]);
2517 break;
2518
2519 case FAIL:
2520 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2521 break;
2522
2523 /* DISCARD and DROP can happen only from a nested ACL condition, and
2524 DISCARD can happen only for an "accept" or "discard" verb. */
2525
2526 case DISCARD:
2527 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2528 verbs[acl->verb]);
2529 break;
2530
2531 case FAIL_DROP:
2532 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2533 verbs[acl->verb]);
2534 break;
2535 }
2536
2537 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2538 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2539 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2540
2541 switch(acl->verb)
2542 {
2543 case ACL_ACCEPT:
2544 if (cond == OK || cond == DISCARD) return cond;
2545 if (endpass_seen)
2546 {
2547 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2548 return cond;
2549 }
2550 break;
2551
2552 case ACL_DEFER:
2553 if (cond == OK)
2554 {
2555 acl_temp_details = TRUE;
2556 return DEFER;
2557 }
2558 break;
2559
2560 case ACL_DENY:
2561 if (cond == OK) return FAIL;
2562 break;
2563
2564 case ACL_DISCARD:
2565 if (cond == OK || cond == DISCARD) return DISCARD;
2566 if (endpass_seen)
2567 {
2568 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2569 return cond;
2570 }
2571 break;
2572
2573 case ACL_DROP:
2574 if (cond == OK) return FAIL_DROP;
2575 break;
2576
2577 case ACL_REQUIRE:
2578 if (cond != OK) return cond;
2579 break;
2580
2581 case ACL_WARN:
2582 if (cond == OK)
2583 acl_warn(where, *user_msgptr, *log_msgptr);
2584 else if (cond == DEFER)
2585 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2586 "condition test deferred: %s",
2587 (*log_msgptr == NULL)? US"" : *log_msgptr));
2588 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2589 break;
2590
2591 default:
2592 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2593 acl->verb);
2594 break;
2595 }
2596
2597 /* Pass to the next ACL item */
2598
2599 acl = acl->next;
2600 }
2601
2602/* We have reached the end of the ACL. This is an implicit DENY. */
2603
2604HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2605return FAIL;
2606}
2607
2608
2609/*************************************************
2610* Check access using an ACL *
2611*************************************************/
2612
2613/* This is the external interface for ACL checks. It sets up an address and the
2614expansions for $domain and $local_part when called after RCPT, then calls
2615acl_check_internal() to do the actual work.
2616
2617Arguments:
2618 where ACL_WHERE_xxxx indicating where called from
2619 data_string RCPT address, or SMTP command argument, or NULL
2620 s the input string; NULL is the same as an empty ACL => DENY
2621 user_msgptr where to put a user error (for SMTP response)
2622 log_msgptr where to put a logging message (not for SMTP response)
2623
2624Returns: OK access is granted by an ACCEPT verb
2625 DISCARD access is granted by a DISCARD verb
2626 FAIL access is denied
2627 FAIL_DROP access is denied; drop the connection
2628 DEFER can't tell at the moment
2629 ERROR disaster
2630*/
2631
2632int
2633acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2634 uschar **log_msgptr)
2635{
2636int rc;
2637address_item adb;
2638address_item *addr;
2639
2640*user_msgptr = *log_msgptr = NULL;
2641sender_verified_failed = NULL;
2642
2643if (where == ACL_WHERE_RCPT)
2644 {
2645 adb = address_defaults;
2646 addr = &adb;
2647 addr->address = data_string;
2648 if (deliver_split_address(addr) == DEFER)
2649 {
2650 *log_msgptr = US"defer in percent_hack_domains check";
2651 return DEFER;
2652 }
2653 deliver_domain = addr->domain;
2654 deliver_localpart = addr->local_part;
2655 }
2656else
2657 {
2658 addr = NULL;
2659 smtp_command_argument = data_string;
2660 }
2661
2662rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2663
2664smtp_command_argument = deliver_domain =
2a3eea10 2665 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH		 2666
2667/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2668ACL, which is really in the middle of an SMTP command. */
2669
2670if (rc == DISCARD)
2671 {
2672 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2673 {
2674 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2675 "ACL", acl_wherenames[where]);
2676 return ERROR;
2677 }
2678 return DISCARD;
2679 }
2680
2681/* A DROP response is not permitted from MAILAUTH */
2682
2683if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2684 {
2685 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2686 "ACL", acl_wherenames[where]);
2687 return ERROR;
2688 }
2689
2690/* Before giving an error response, take a look at the length of any user
2691message, and split it up into multiple lines if possible. */
2692
2693if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2694 {
2695 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2696 uschar *ss = s;
2697
2698 for (;;)
2699 {
2700 int i = 0;
2701 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2702 if (*ss == 0) break;
2703 if (*ss == '\n')
2704 s = ++ss;
2705 else
2706 {
2707 uschar *t = ss + 1;
2708 uschar *tt = NULL;
2709 while (--t > s + 35)
2710 {
2711 if (*t == ' ')
2712 {
2713 if (t[-1] == ':') { tt = t; break; }
2714 if (tt == NULL) tt = t;
2715 }
2716 }
2717
2718 if (tt == NULL) /* Can't split behind - try ahead */
2719 {
2720 t = ss + 1;
2721 while (*t != 0)
2722 {
2723 if (*t == ' ' || *t == '\n')
2724 { tt = t; break; }
2725 t++;
2726 }
2727 }
2728
2729 if (tt == NULL) break; /* Can't find anywhere to split */
2730 *tt = '\n';
2731 s = ss = tt+1;
2732 }
2733 }
2734 }
2735
2736return rc;
2737}
2738
2739/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.